If you're familiar with my tutorials, you might know they're usually long. This is yet another case. This is a very simple tutorial for a (somewhat) complicated problem with EMET, and a very long explanation of the problem. It's boring, so skip to the "A Light at the end of the Tunnel" part if you're just looking for the answer . ------------------------------------------------------------------------------------------------------------------------------------------ Before the release of the (problematic) EMET 5.5, we had EMET 5.2. It worked as it's supposed to, no complaints in regards to it's deployment. Then, Microsoft decided to release a new version of EMET that was compatible with Windows 10, and that changed the game for a lot of people. You see, making a good software compatible with Windows 10 is not a problem, but you might know that Microsoft, in it's recent years, is pushing things into everybody's throat (cough cough, Windows 10). You might think that, since EMET is mostly used in corporate environments, Microsoft wouldn't push it's products through it.... and you'd probably be wrong. Since the release of EMET 5.5, some users won't be able to easily change the System-Wide DEP setting to anywhere other than "Application Opt Out", because apparently Microsoft thinks everybody uses BitLocker for drive encryption. Either that, or they want people to use it, which is a little suspicious to say the least. If you try to change that setting, EMET will say that BitLocker needs to be suspended, then you click OK, then it says BitLocker couldn't be suspended, then it will output an error. You can see this in action here (link). This is an odd behavior because EMET should detect if the user has BitLocker deployed or not. Originally I thought this was caused because my Windows 10 and 7 are Home versions (which are NOT able to use BitLocker), but that is not it. I tried doing the same procedure in Windows 7 Ultimate, and here's what I found out: It works fine on VirtualBox, probably because it emulates TPM modules; It doesn't work on my real hardware, because I don't have a TPM module; If I disable the TPM requirement for BitLocker on gpedit, it still won't work; However, if I start encrypting my drive with BitLocker, EMET will be able to detect that BitLocker is running, then it will suspend it for a few seconds, and then I'm able to change the DEP setting within EMET; I can only think of two possible scenarios: Either Microsoft dumbed-down more than usual, or they're saying we must be using BitLocker or we must have a TPM module in order to enable DEP via EMET.I think this because it's not possible to find a solution that works via EMET. Why should I need a TPM module or encrypt my drive with BitLocker in order to use DEP? I tried using the command "--system --force dep=ApplicationOptOut", which is supposed to FORCE EMET into enabling DEP system-wide, but that didn't work, I let the command running for 2 hours and nothing happened (usually the result is instant). I also tried editing the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\EnableUnsafeSettings" registry KEY, with no avail. I simply couldn't find anything helpful on the internet. A light at the end of the Tunnel Talking with Microsoft tech-helpers via chat, I noticed most couldn't even begin to understand what the problem is. Only two people were helpful: A lady that said the problem was in my BIOS (which isn't completely false, though the lack of details would initially suggest she was just trying to get rid of me), and a guy who wrote the following command: bcdedit.exe /set {current} nx AlwaysOn I did try the command, but since we were talking live on chat I couldn't just reboot because it would be hard to resume support with him after rebooting, the only guy who stayed with me for hours straight and even did a remote connection to try to help me. So initially I though the command didn't do anything.... until I rebooted the machine. Surprisingly, the command worked the way I wanted. Obviously it's not the same as enabling the rule via EMET, but that is least of my concerns. If EMET can read what I set up, that's what I want... and that's what I got. So how does it work? First, open CMD as Administrator. If you want EMET to recognize DEP as AlwasyOn, the command is this: Code: bcdedit.exe /set {current} nx AlwaysOn If you want EMET to recognize DEP as ApplicationOptOut, the command is this: Code: bcdedit.exe /set {current} nx OptOut PS: Some programs/games will require you to disable DEP via Advanced System Settings -> Performance -> Data Execution Prevention, just like older versions of EMET. Two examples are GTA Vice City and GTA III. Done! A simple fix for a stupid change on EMET. Happy mitigating.
I had that issue with Windows 7 and had to revert to Emet 5.2 but 5.5 worked without issues in Windows 10 on the same machine. No Bitlocker used at all in either system. There is a TPM but I'm not using it either. I will have to look at the BCD entries for each system but they should be the same. I use a utility called Bootice for BCD editing and I would have just used the same default settings for each entry with the only difference being the disk and partition of each system. The Windows 10 installation is an upgrade from Windows 7 and the upgrade kept Emet 5.2 which was working with no obvious issues until I upgraded it to 5.5
Folks, I am considering EMET 5.5 for my Windows 8.1 Pro system with BitLocker enabled throughout, no TPM. I am just running common programs. I have never run any version of EMET before. Will the default configuration work for me? Or will I have to do a lot of tedious tweaking? If it does not work out for me, will EMET 5.5 uninstall cleanly? Thanks!